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DETAILED ACTION 

1. This office action is in reply to an amendment filed on December 12, 2005. Claims 1, 20, 
22 and 30 have been amended and new claims 31-35 have been added. Claims 1-35 are 
pending. 

Response to Arguments 

2. Applicant's arguments with respect to claims 1-35 have been considered but are moot in 
view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

3. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject nfiatter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

4. Claim 1, 3-11, 13-19, 30 and 31-35 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Vaidya US Patent 6,279,113 B1 in view of Li et al. US Patent 6,567,408 B1 
(hereinafter Li). 

5. As per claims 1 and 30, Vaidya teaches a method for detecting intrusion on a network, 
comprising: 

storing signature profiles identifying patterns associated with network intrusion in a 
signature database [column 3, lines 27-38 and column 6, lines 35-42]; 
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generating classification rules based on said signature profiles [column 3, line 65 - 
column 4, line 8]; 

receiving data packets transmitted on the network [column 6, lines 60-68]; 

classifying data packets having corresponding classification rules according to said 
generated classification rules [column 6, line 57 - column 7, line 10]; 

forwarding said classified packets to a signature engine for comparison with signature 
profiles [column 6, lines 63 - column 7, lines 5 and column 7, lines 1 1-21]. Vaidya further 
teaches classifying data packets according to classification rules [column 6, line 57- column 7, 
line 10]. Vaidya is silent on carrying out the classification by a first classification stage capable 
of classifying the data packets and a second classification stage capable of classifying the data 
packets received from the first classification stage. However, classification of data packets with 
multi-level stages is well known in the art, which has the advantage of enhancing the 
performance and efficiency of the system. For example, Li teaches carrying out classification by 
a first classification stage capable of classifying the data packets on a first set of packet 
characteristics and a second classification stage capable of classifying the data packets 
received from the first classification stage based on a second set of characteristics [column 3, 
line 63-column 4, line 7, column 6, lines 37-67 and figure 7A]. Therefore, it would have been 
obvious to one having ordinary skill in the art at the time of applicant's invention to employ the 
teachings of Li within the system of Vaidya in order to enhance the performance and efficiency 
of the system. 

6. As per claims 3-9, Vaidya further teaches classifying said packets according to at least 
one packet field into groups [column 9, lines 46-61 and column 7, lines 2-21]. 
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7. As per claims 10, 11, 13 and 14, Vaidya further teaches performing a table lookup to 
select an action to be performed on said packet based on its classification [column 7, lines 2-1 1 
and column 9, lines 27-35]. 

8. As per claims 15 and 16, Vaidya further teaches partitioning signatures into disjoint 
groups to define subsets of signature profiles [column 6, lines 27-42]. 

9. As per claims 1 7-1 9, Vaidya further teaches filtering received packets and capturing 
packets at a network analysis device [column 8, lines 40-55]. 

1 0. As per claim 31 , Li further teaches the method wherein the first set of packet 
characteristics includes at least one of a destination address, a protocol type and a destination 
port number [column 9, lines 37-60 and figures 6 & 7A]. 

11. As per claim 32, Li further teaches the method wherein the second set of packet 
characteristics includes at least one of packet type and a size [column 6, lines 37-67]. 

12. As per claims 33 and 34, Li further teaches the method wherein only the second 
classification stage remains in communication with a flow table for identifying an action to be 
taken with respect to the data packets [column 6, lines 37-67 and figures 7and & A]. 

1 3. As per claim 35, Vaidya further teaches the method wherein the classification rules are 
generated after filtering the data packets [column 3, line 65 - column 4, line 8]. 
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14. Claims 20-29 are rejected under 35 U.S.C. 103(a) as being unpatentable over by 
Copeland, III US Pub. 2002/0144156 A1 (hereinafter Copeland) in view of Li US Patent 
6,567,408 B1. 

15. As per claim 20, Copeland teaches an intrusion detection system comprising: 

a signature classifier comprising a classifier operable to classify packets according to at 
least one packet field into groups [paragraph 0139, 0140 and 0165]; 

a flow table configured to support table lookups of actions associated with classified 
packets [paragraphs 0148, 0149]; 

a signature database for storing signature profiles identifying patterns associated with 
network intmsion [paragraphs 0020, 0153-0155]; and 

a detection engine operable to perform a table lookup at the flow table select an action 
to be performed on said packet based on its classification, wherein comparing said packets to at 
least a subset of the signature profiles is one of the actions [paragraphs 0157 -0159 and 0163- 
0165]. Furthermore, Copeland teaches classifying data packets according to data packet 
information [paragraph 0139, 0140 and 0165]. Copeland is silent on a classifier comprising a 
first stage classifier operable to classify packets according to at least one packet field into 
groups and a second stage classifier operable to classify said packets within each of the groups 
according to packet type or size. However, classification of data packets with multi-level stages 
is well known in the art. which has the advantage of enhancing the performance and efficiency 
of the system. For example, Li teaches classifier comprising a first stage classifier operable to 
classify packets according to at least one packet field into groups and a second stage classifier 
operable to classify said packets within each of the groups according to packet type or size 
[column 3, line 63-column 4, line 7, column 6, lines 37-67 and figure 7A]. Therefore, it would 
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have been obvious to one having ordinary skill in the art at the time of applicant's invention to 
employ the teachings of Li within the system of Copeland in order to enhance the performance 
and efficiency of the system. 

16. As per claims 21 and 22, Copeland teaches the system further comprising a data 
monitoring device having a capture engine operable to capture data passing through the 
network and configured to monitor network traffic, decode protocols, and analyze received data 
[paragraph 0137]. 

17. As per claim 23, Copeland further teaches a parser operable to parse, generate and 
load signatures at the detection engine [paragraphs 0142-0146]. 

18. As per claims 24, Copeland further teaches the system comprising an alarm manager 
operable to generate alarms [paragraphs 0162-0164]. 

19. As per claims 25 and 26, Copeland further teaches a filter configured to filter out packets 
received at the intrusion detection system [paragraphs 0139-0141]. 

20. As per claim 27, Copeland further teaches the flow table is a hash table [paragraphs 
0149-0150] 

21 . As per claims 28 and 29, Copeland further teaches action options listed in the flow table 
include dropping the packet and generating an alarm [paragraph 0165]. 
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22. Claims 2 and 12 are rejected under 35 U.S.C. 103(a) as being unpatentable over Vaidya 
US Patent 6,279,113 in view of Li et al. US Patent 6,567,408 B1 and further in view of Copeland 
US Pub. 2002/0144156 A1. 

23. As per claims 2 and 12, Vaidya-Li teache the method as applied to claim 1 above, 
Vaidya-Li is silent on the method comprising dropping data packets without conresponding 
classification rules. However, Copeland teaches an intrusion detection system including 
dropping data packets without corresponding classification rules [paragraph 0165]. Both Vaidya- 
Li and Copeland teach a network intrusion detection system. It would have been obvious to one 
having ordinary skill in the art at the time of applicant's invention to employ the teachings of 
Copeland within the system of Vaidya-LI in order to enhance the security of the system. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Beemnet W. Dada whose telephone number is (571) 272-3847. The 
examiner can normally be reached on Monday - Friday (9:00 am - 5:30 pm). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Y. Vu can be reached on (571) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto,gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



Beemnet Dada 
Febmary 18, 2006 



